Claims in SharePoint 2010: the sequel

This is a follow up to a previous article ( https://sharepointdragons.com/2012/01/30/claims-in-sharepoint-2010/ ) we’ve written. That article discusses how to set up a SharePoint site collection that supports claims authentication. To follow the sequel, you need to have set up such a site collection. From then on, we’ll take it one step further and discuss how to create a custom provider that issues custom claims and how to assign permissions to SharePoint objects based on such claims.

In the aforementioned forum thread, a member of the Danish Defence IT Agency sought to implement a hierarchical claim. One that would be able to represent the following hierarchy:

Defence Department

Defence Command

IT Agency

Infrastructure

Server Applications

SharePoint

As we found out later, it’s a quite common request in military organizations to have a permission structure that is very hierarchical in nature, to have a wide variety of security clearances with a hierarchy associated to them.

Another way would be to create a single claim and to put XML in it, like so: <l>Defence department<l>Defence Command</l></l>, which would work in scenarios where you’re programmatically iterating thru each claim (as is done in the claims web part in https://sharepointdragons.com/2012/01/30/claims-in-sharepoint-2010/), but unfortunately breaks down when you want to assign permissions to SharePoint objects based on such a claim.

Claims are added equally for everybody. We believe that even the most basic of claim provider implementations should provide some code for determining the current user.

The article stops too soon and doesn’t discuss what to do with these claims once set up.

Because of these shortcomings in an overall good article, we felt the need to redo parts of the article, keeping the original example intact (being fine as it is). This provides the added benefit that now the code can be copied and pasted (although we’ve put in minor changes), instead of retyped, and shows how to assign permissions to SharePoint objects based on the newly created claims.

Implementing a custom claim provider

Every SharePoint web application has a registered set of claim providers which are triggered every time authentication is performed. It doesn’t matter whether you log in using Windows authentication (NTLM or Kerberos), forms authentication (using an ASP.NET membership and role provider), or via a Security Token Service (STS, Active Directory Federation Services 2.0, or ADFS 2.0, is a good example of an STS) that issues SAML claims. In this example, we’ll create our own and add it to the existing set of claim providers. We’ve tested with both NTLM and forms authentication.

A custom claim provider needs to be registered via an event receiver based on SPClaimProviderFeatureReceiver. Step 9 of the article prescribes that you need to set the Receiver assembly and Receiver class properly. You can do that by setting:

Once you deploy it and log in, you should see the new claims issued by our custom claim provider, as shown in the next Figure.

Two tips. One. Every time you’re changing your claim provider, deploy it and then perform an iisreset before changes are visible. Two. You can debug your custom claim provider by attaching to the w3wp process.

Assigning permissions to SharePoint objects

With all these brand new claims, the urge rises to do something useful with them. You can do this by assigning a claim to a SharePoint web site. We’ve done this twice, both for the claim values “None” and “Top Secret”. This is the code (again, we didn’t have to be very creative, we just borrowed and augmented (to use some claims terminology) the code from http://blog.mastykarz.nl/programmatically-granting-permissions-claims/):

Or, in some ways, the user.aspx application page even shows it clearer:

After that, we created a custom list called MySecrets containing the items None and Top Secret:

If you want to see the None list item , you need to either be a site collection administrator or have the None claim. This can be seen in the next Figure:

To see the Top Secret list item, you’ll need to have the Top Secret claim (or be an administrator):

You can experiment with the custom claim provider and verify that this indeed works. Please note that in our example we’ve provided all claims for everyone. If you modify the example and only provide a None claim, you’ll see the difference. In our case, it’s poor Anton the forms user that has to suffer:

6 responses to “Claims in SharePoint 2010: the sequel”

the class Program that you created to assign the permissions to the site… how is that applied to the SP site? The code is simple and easy to follow but being new to SP I don’t know how to get this code to run on my SP site. can you give some tips for a beginner on that topic?

Ah, just create a console application using visual studio and paste in the code. Remember, the console app has to run on the SharePoint server itself, because it uses the SharePoint server object model and otherwise it won’t run. Other things to look out for: make sure you compile the console app using .NET 3.5 and 64 bit. It gets tedious: otherwise it won’t run!

not to be dense, but i’m very new to both sharepoint and visual studio, so i apologize. when you say ‘console app’, what exactly do you mean? i dont see an option for that in a new project or a new item. do i just start an empty sharepoint project and add this code to it as a class? if thats the case, how do i get that into sharepoint? so far im only familiar with web parts and i dont want to add one of those for something like this. i apologize again but i am very much a beginner and need a bit of hand-holding🙂
if you wouldn’t mind, would i be able to contact you through email about this?

Well, it’s better to ask then to wander… Start Visual Studio then choose New Project > Visual C# > Windows > Console Application. In this case, the code is run from a stand-alone program, so you don’t need to actually put it in SharePoint. You do need to add references to the SharePoint dll’s, which is made really easy using the CKSDevs tools described in http://social.technet.microsoft.com/wiki/contents/articles/8666.sharepoint-2010-best-practices.aspx#Top If you want, you can also take the code and run it somewhere else, such as in a web part.In that case, you only need to copy the contents of the main method.